Point of view: Nullcon 2015

It’s been one full year since the end of the practical information security forum held in India. I realize that the country and the event will forever stay in my memory and some of the other participants will remember them, too. We’ve had it all: pursuits, quardocopters, motorbiking accidents, an Indian hospital, meditation and information security.

Day One: Hare Krsna

The roar of airplanes and the hassle with luggage fall behind. Our nostrils are attacked by the smell of bonfires; our eyes, used to the leaden hues of Moscow sky, squint at the Indian sun. “It’s four days before the event – was it too much to include so many days for acclimatization?” I ask myself as I watch heaps of trash burning down the sides of the road.

“It’s the beginning of the season in Goa. Strange there are so few tourists from Russia this year,” is all I can make out from the taxi driver’s mumble. Should I tell him about the new currency rates or yell there is a cow on the road ahead… Unlike the animal, I still cannot get used to left-hand traffic.

Day Two: Point of No Return

Anyway, after our flight and the barely perceptible change of time zones I slept for 14 hours. Today I am getting together with my friend and colleague researcher for the study we are presenting at Nullcon – Stanislav Merzlyakov. Or simply “Mr. Stas” as the organizers were politely referring to him in our correspondence. In Goa for the second time, Stas had warned me while still in Moscow: “We are not visiting any tourist places. We shall go deep into the state, away from beaches, white-skinned people and as near as we can to marmosets. If you want to swim and sunbathe – you have one day for that.” Oh yeah… The one I spent in my bed.

“No snacks until we find bikes for all of our 10 days’ stay,” we decided and headed down the beach. I wish we had eaten and forgotten about the two-wheelers instead. Who could have known how that decision would backfire on us in the next 72 hours…

Day Five: “The Goan Scavenger”

We covered a hundred kilometers of beaches, national park roads, rice fields and small villages. We were spending nights at local hostels, and, when overtaken by the night (the dark falls quite early in India – 06:00 PM local time), would usually keep going through the dark for two or three hours more. I have no idea how we never hit a cow or a truck…

Don’t worry, I will correct that “mistake” early the next dawn; the time when your senses, dulled by speed, make you twist the gas handle without thinking. A blink of an eye – and I am using my shoulder, pelvis and knees to slow down at 40 km.

“I’m alright! Fine! Fine!” I cried out automatically to the Indians who stopped walking. Eyes popped out of “Mr. Stas’” head when he saw my bike slide.

“Kid’s bruises, a lucky escape,” thought I to myself as I was limping towards my bike. Stop! Why limping? The sandal on by right foot was nothing but pieces of fabric mixed with blood.
The do-rag I was given a couple of years ago at one of Kaspersky Lab’s corporate parties saved me from excessive bleeding during the two hours a taxi cab was wheeling us from one health center to another. They all gave us the same reply: “You need an operation” and then “sorry, we have no surgeon available.” Finally, they stitched up my foot at a local hospital.

Day Seven: One Day Ahead of Nullcon

I spent the day before Nullcon with temperature on a hostel bed. It was time to move to our venue which was some 40 km away from my bed. That meant I had to get back on my bike and crawl along the roadside with caution like one of them elderly guys. That was what we did.

The hotel to host our practical security conference for the next two days was situated near an airport – a strategic facility. The implication was, all approach roads were controlled by the military. Anyway, that information was definitely lost on the two Russian guys cruising down the road without and protective gear on, exchanging cries, one stitched up and bandaged, like a Frankenstein.
The roaring bike tore past the soldiers who responded by blowing a whistle. As they saw another one approaching they whistled no more – they just ran out into the road and began flourishing their arms. “Namaste,” I greeted the uniformed men as I maneuvered past them, considerately. Seeing them jump into their car clearly bent on pursuit, we turned off the road and into the fields…

Nullcon: Day One

A beach hotel with a big pool – if not for the injuries, I would probably never get to writing this report. If the choice of location was to attract more attention to the reports, it certainly was not a good idea, with so many distractions around. Anyway the house was full on the first day. According to the organizers, Nullcon has been steadily growing and right now it has around 600 participants total. If you ask me, there were about 1,000 of them – I am probably not so good at remembering Indian faces.

Rahul Sasi’s report about attacks on drones was among the most expected ones. Rahul has analyzed the security of some of the popular consumer models (such as the Parrot AR.Drone 2.0) and demonstrated some of the interesting vectors for potential attacks (in real life a piece of malware passed from one drone to another has little practical sense so far). For example, an attack on the drone’s GPS-based navigation system will not only baffle it, but also offer a nice opportunity for theft. If we consider this attack vector not with respect to consumer models with expensive video equipment onboard at most, but commercial drones, the power to take over a craft with a machine-gun worth of payload may sound really attractive for criminals or the military.

Another interesting PoC demonstrated by the researcher consisted in planting a backdoor into AR.Drone’s firmware. According to the report, in theory such a backdoor is a relevant threat to all *nix-based systems with ARM architecture, and may allow the attacker to control the quadrocopter remotely. In addition, an infected drone may help to take remote control of other similar quadrocopters by installing the same backdoor. The exploit used to upload this backdoor first kills the auto piloting system and then takes control.

“Rahul, this is certainly hot and incredibly relevant. But what would you do if you were to steal a Parrot Ar.Drone really quickly?” I asked Rahul and his research team in the lobby. “I would attack the onboard Wi-Fi access point,” he replied.

A report titled Cool Boot Attack on DDR2 and DDR3 was no less interesting. The researchers opened no America, of course, as we’ve been hearing about the principles of cold reboot attacks for a few years now, but it was interesting to see examples of successful attacks of this class targeting DDR2 and DDR3 RAM.

In his The NSA Playset report Michael Ossmann spoke about the insides of curious counterparts of the interesting devices, the information about which has gone public and which, according to this information, are used by NSA. Nothing much has changed in his report since Defcon 22.

Nullcon: Day Two

The day of our report on the topic we had covered in our magazine. “Public Terminals Security Analysis – sorry but what are these? Public terminals? No, doesn’t ring the bell.” These were the kind of questions we expected the Indians to ask, but we found out the guys were “in the know.” Even though their country has no terminals that are more or less “public” and more or less “terminals,” they understand all the problems inherent to the devices and expect them to appear before long.

Despite its modesty in all spheres of life, India knows how to have fun and stay positive at all times. The attitude to speakers and even organization quality at Nullcon 2015 have demonstrated this full well. If there is a hackers’ carnival somewhere out there, it will certainly be in India, not far from the beaches of Goa.

Denis has gained diverse experience while working in the information security area. On the defensive side, as a Security Architect, he is responsible for building a security architecture of distributed IT infrastructure across various international business units for a global Fortune 500 company.
As a security researcher with the Global Research and Analysis Team at Kaspersky Lab, he was focused on vulnerability research and security assessment of emerging technologies. Based on his offensive expertise, he's been a founder and leading expert in the development of a threat intelligence product.
Having graduated from the Information Security Faculty of the National Research Nuclear University MEPhI (Moscow Engineering Physics Institute), he is continuing his research project related to methods of targeted attack detection as a Ph.D. candidate.
Denis has presented at many public international security conferences, including Defcon, RSA Conference, CARO, BSides, Infosecurity, as well as multiple closed-door invite-only security industry events.

Almost two years I’ve been focused on cybersecurity of smart medicine. The result was collected in 3 reports:
1. Introduction in the topic: https://t.co/RJDxzpyBHY
2. Threat landscape: https://t.co/mxLEXX3CDg
3. Recommendations and mitigation strategy: https://t.co/v7S3kwmufD